DOCSLIB.ORG

Ipv6 Security for Ipv4 Engineers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Ipv6 Security for Ipv4 Engineers March 2019 – Version 1.0 Network Security IPv6 Security for IPv4 Engineers Author Fernando Gont Network Security – IPv6 Security for IPv4 Engineers 2 Abstract This document provides an overview of IPv6 security that is specifically aimed at IPv4 engineers and operators. Rather than describing IPv6 in an isolated manner, it aims to re-use as much of the existing IPv4 knowledge and experience as possible. It highlights the security issues that affect both protocols in the same manner, as well as those that are new or different for the IPv6 protocol suite. Additionally, it discusses the security implications arising from the co-existence of the IPv6 and IPv4 protocols. 1. Introduction The IPv6 protocol suite has been designed to accommodate the present and future growth of the Internet by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. The imminent exhaustion of the IPv4 address space has already led to the deployment of IPv6 in a large number of production environments, with many other organizations planning to deploy IPv6 in the short or near term. There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint [IPV6-SEC]. Firstly, being a newer technology, technical personnel have less confidence with the IPv6 protocol suite than with its IPv4 counterpart, and it is therefore possible that the security implications of the protocols will be overlooked when they are deployed on production networks. Secondly, IPv6 implementations tend to be less mature than their IPv4 counterparts, and it therefore likely that vulnerabilities will be discovered before their robustness matches that of existing IPv4 implementations.Thirdly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts [IPV6-SEC-2] [IPV6-FW]. Fourthly, the security implications of IPv6 transition/co-existence technologies on existing IPv4 networks are usually overlooked, potentially enabling attackers to leverage these technologies to circumvent IPv4 security controls in unexpected ways [RFC7123]. Finally, marketing claims have created a lot of myths around IPv6 (and IPv6 security in particular), hindering proper awareness about IPv6 and its security considerations in particular [IPV6-MYTHS]. This document provides an overview of IPv6 security that is specifically aimed at IPv4 engineers and operators. Rather than describing IPv6 in an isolated manner, it aims to re-use as much of the existing IPv4 knowledge and experience as possible, by highlighting the security issues that affect both protocols in the same manner, those that are new or different for the IPv6 protocol suite, and those that arise from the co-existence of IPv6 and IPv4. internetsociety.org Network Security – IPv6 Security for IPv4 Engineers 3 2. Security Implications of the IPv6 Protocol Suite The IPv6 protocol suite provides very similar functionality and services to those provided by its IPv4 counterpart. Namely, it provides an unreliable datagram transfer service to the upper layers and implements features such as automatic host configuration, fault isolation, etc. However, most of these features are implemented by means of completely different mechanisms. The following table provides a rough comparison of IPv4 and IPv6 features, highlighting how each feature is implemented in each version of the protocol: Feature IPv4 IPv6 Addressing 32 bits 128 bits Packet structure Variable-length header Fixed-size base header + Extension Headers Address Resolution ARP ICMPv6 NS/NA (+ MLD) Auto-configuration DHCP ICMPv6 RS/RA & DHCPv6 (+ MLD) Fault Isolation ICMPv4 ICMPv6 IPsec support Optional Optional Fragmentation Both in hosts and routers Only in hosts Multicast Usage Only for Multicast apps Required for Neighbor Discovery Network Architecture Private addresses + NAT Global addresses + Firewall Comparing the IPv4 and IPv6 protocol suites in this manner is particularly important from a security standpoint for at less two reasons. Firstly, it stresses what features/services are present in both protocols, and consequently what features/services can be subject to attacks. Secondly, spelling out the specific mechanisms that are employed to implement a given feature/service provides a hint regarding the possible differences in corresponding attacks, as well as in possible mitigations. The following subsections provide an overview of each of the aforementioned IPv6 features, how the implementation of each feature differs from the IPv4 counterpart, and what are the security implications of such differences. 2.1. IP Addressing The main driver for the adoption and deployment of IPv6 is its larger address space. The structure internetsociety.org Network Security – IPv6 Security for IPv4 Engineers 4 of IPv6 addresses is quite similar to that of their IPv4 counterparts, namely there are different address types (unicast, multicast, etc.) and scopes (link-local, global, etc.) and addresses are normally aggregated (as “prefixes”) for the purpose of routing. However, IPv6 addresses are obviously much larger than their IPv4 counterparts: 128-bits vs. 32 bits. Similarly, IPv6 subnets are normally much larger than their IPv4 counterparts: in IPv4, /24 (or smaller) subnets are quite common, while /64 subnets are the norm for the IPv6 case, allowing for 264 possible addresses - a virtually unlimited number of addresses for each subnet. While IPv4 systems typically employ only one address per network interface, IPv6 systems normally employ multiple addresses for each network interface. For example, each network interface will normally employ one link-local unicast address, and one (or more) global unicast address. IPv6 also makes extensive use of multicasting (e.g. for address resolution and automatic configuration) and nodes are therefore normally reachable via one or more multicast addresses. These differences warrant the discussion of a number of topics that are closely related to IPv6 addressing: • IPv6 network reconnaissance • Impact of IPv6 subnet size on IPv6 stack resiliency • Challenges arising from IPv6 host address availability • Lack of Address Translation The following sub-sections discuss each of these areas, and their corresponding security implications. 2.1.1. IPv6 Network Reconnaissance The much larger IPv6 subnet size results in a much lower host address density in IPv6 subnets. That is, given an IPv6 subnet, only a very small fraction of the available addresses are actually employed by nodes on such subnet (see [RFC4692] and [RFC7421] for further discussion). If addresses are randomly distributed over the 264 possible values, it becomes unfeasible to brute- force search for “alive” nodes on a target network (as with the typical “ping sweeps” normally employed in the IPv4 world). This may be beneficial for mitigating network reconnaissance attacks but may also hinder legitimate penetration tests and security assessments. The feasibility and effectiveness of IPv6 address scans depends on whether the addresses of nodes in the target network follow specific patterns. For example, recent versions of most internetsociety.org Network Security – IPv6 Security for IPv4 Engineers 5 operating systems generate unpredictable IPv6 addresses when SLAAC is employed (see [RFC8064] and [RFC7217]). In such scenarios, traditional brute-force network reconnaissance via the so-called “ping sweeps” becomes unfeasible, and thus alternative techniques need to be employed. However, servers, routers, and other infrastructure systems tend to employ manual configuration and typically result in predictable addresses that may be easily discovered by means of IPv6 address scans [RFC7707]. The effectiveness of IPv6 address scans will typically depend on how addresses are configured (SLAAC, DHCPv6, or manual configuration) and the type of target node (clients, servers, routers, etc.). [RFC7707] discusses network reconnaissance in IPv6 networks in detail. While there is a plethora of techniques for performing network reconnaissance in IPv6 networks, some of them have been found to be particularly effective. If the target is a local subnet, the following techniques have been found to be effective: • Multicasted probes (ICMPv6 echo, and specially-crafted probe packets that elicit ICMPv6 error messages) • Multicast DNS (mDNS) queries. On the other hand, if the target is a remote network, the following techniques may be used: • Pattern-based address scans • DNS zone transfers • DNS reverse mappings • Certificate transparency framework • Search engines Pattern-based address scans are discussed in detail in [RFC7707], whilst [DNS-REV] and [DNS- REV2] discuss DNS reverse mappings with practical examples. [CTF] discusses the use of search engines and the certificate transparency framework for network reconnaissance, with practical examples. [IPV6-REC] provides practical examples of several techniques for IPv6 network reconnaissance using open source tools. internetsociety.org Network Security – IPv6 Security for IPv4 Engineers 6 We note that whilst the address scan techniques are IPv6-specific, the other techniques can also be employed to map IPv4 systems and networks. However, they become more relevant for IPv6 because of the unfeasibility to perform traditional brute-force address scans. 2.1.2. Impact of IPv6 subnet size on IPv6 stack resiliency IPv4 subnets do not accommodate more than a few hundred or
Load more

Recommended publications
  • SIP Software for Avaya 1200 Series IP Deskphones-Administration
    SIP Software for Avaya 1200 Series IP Deskphones-Administration Release 4.4 NN43170-601 Issue 06.05 Standard July 2015 © 2015 Avaya Inc. list of Heritage Nortel Products located at http://support.avaya.com/ All Rights Reserved. LicenseInfo under the link “Heritage Nortel Products” or such successor site as designated by Avaya. For Heritage Nortel Notice Software, Avaya grants You a license to use Heritage Nortel While reasonable efforts have been made to ensure that the Software provided hereunder solely to the extent of the authorized information in this document is complete and accurate at the time of activation or authorized usage level, solely for the purpose specified printing, Avaya assumes no liability for any errors. Avaya reserves in the Documentation, and solely as embedded in, for execution on, the right to make changes and corrections to the information in this or for communication with Avaya equipment. Charges for Heritage document without the obligation to notify any person or organization Nortel Software may be based on extent of activation or use of such changes. authorized as specified in an order or invoice. Documentation disclaimer Copyright “Documentation” means information published by Avaya in varying Except where expressly stated otherwise, no use should be made of mediums which may include product information, operating materials on this site, the Documentation, Software, Hosted Service, instructions and performance specifications that Avaya may generally or hardware provided by Avaya. All content on this site, the make available to users of its products and Hosted Services. documentation, Hosted Service, and the product provided by Avaya Documentation does not include marketing materials.
    [Show full text]
  • Paths to Our Digital Future Table of Contents
    INTERNET SOCIETY GLOBAL INTERNET REPORT Paths to Our Digital Future Table of Contents Foreword by Kathy Brown, Executive summary Introduction President and CEO, 5–13 14–16 Internet Society 3–4 How we see the Internet Drivers of Change Drivers of Change 16–19 & Areas of Impact 24–61 21–23 Areas of Impact What if? Recommendations 62–84 85–103 104–110 Conclusion Methodology Acknowledgements 111–113 114–117 118–119 internetsociety.org 2 Foreword Foreword by Kathy Brown, President and CEO, Internet Society The Internet Society’s history is inseparably tied to The Internet Society’s fourth annual Global Internet the history of the Internet itself. We were founded Report — Paths to Our Digital Future — explores in 1992 by Internet pioneers Bob Kahn and Vint Cerf, this important question. This comprehensive report along with numerous other visionary individuals brings together insights from across our diverse and organisations. These early Internet luminaries global community to inspire all who engage with the believed that ‘a society would emerge from the Internet to think differently and to prepare for the idea that is the Internet’. And they were right. The opportunities and challenges on the horizon. Internet has come a long way since its inception, and is now part of our social fabric — essential to how No one knows exactly how the Internet will evolve, we connect, communicate, create and collaborate. but we do know it will require new thinking, new approaches and new tools for this rapidly changing 2017 marks a significant milestone for the Internet world around us. Society.
    [Show full text]
  • The Open Internet
    The Open Internet What it is, and how to avoid mistaking it for something else. SEPTEMBER 2014 Introduction1 It is not by chance that we have enjoyed the extraordinary success of the Internet as a global engine of economic, political, cultural, and social progress. Fundamental principles embedded in the architecture of the Internet as a collaboration among designers, builders, providers, and users led directly to this success. Sustaining it will require a commitment by today’s policy makers to understand and respect those principles—not because they are honored by time or tradition, but because they confer tangible present and future benefits. The term "Open Internet" has been used so often and so freely that everyone knows what it means—or thinks they know what it means, and assumes that everyone else means the same thing when they use it. After all, the core enabling principle of the Internet as a system that includes users, applications, and infrastructure is openness, which infuses every aspect of the modern Internet—technical, economic, political, and social. But depending on the context in which it is used, the word open conveys different meanings, particularly when subtle (or not–so–subtle) variations are introduced by translation from one language to another; and because “openness” has become an important issue in many Internet political debates, defining what it means has become part of those debates. As is usually the case when people understand the terms and concepts of a debate differently, it will be difficult for us to resolve important issues of Internet policy until we reconcile our different understandings of open and openness in principle and in practice.
    [Show full text]
  • Internet Society Comments: Taking Stock of the 2011 Nairobi Meeting Of
    Internet Society comments: Taking stock of the 2011 Nairobi Meeting of the Internet Governance Forum and Suggestions for the Agenda and Format of the 2012 Meeting The Internet Society (ISOC) would like to congratulate the IGF Secretariat and the host country for the successful organization of the sixth Internet Governance Forum (IGF), held from 27-30 September 2011 in Nairobi, Kenya. The record attendance, the highest of all IGF meetings so far, bears witness to the Forum’s value to all stakeholders. There was a shared understanding of the importance of holding the sixth meeting of the IGF – the first since the renewal of its mandate – in Kenya. Not only did the meeting allow new perspectives to be shared and new audiences to participate, but it also showcased the considerable strides that have taken place in the Kenyan Internet landscape in recent years and which have made the country a leader in its region. Above all, the Kenyan multistakeholder model provided leadership by example. We would like to thank the Kenyan hosts for their generous hospitality, which helped stimulate discussions. We welcomed the selection of the United Nations Office at Nairobi (UNON) as the venue for the meeting. UNON, as one of the main UN conference sites, provided the IGF with state of the art infrastructure and services. The Internet Society would like to acknowledge the technical know-how that enabled the engineering of a stable IPV6 network at the meeting venue. Last but not least, we would like to pay tribute to the work of the Multistakeholder Advisory Group (MAG) in planning the meeting, the workshop organizers and contributors, and all the participants who contributed to making the sixth IGF such an outstanding success.
    [Show full text]
  • The Internet in Transition: the State of the Transition to Ipv6 in Today's
    Please cite this paper as: OECD (2014-04-03), “The Internet in Transition: The State of the Transition to IPv6 in Today's Internet and Measures to Support the Continued Use of IPv4”, OECD Digital Economy Papers, No. 234, OECD Publishing, Paris. http://dx.doi.org/10.1787/5jz5sq5d7cq2-en OECD Digital Economy Papers No. 234 The Internet in Transition: The State of the Transition to IPv6 in Today's Internet and Measures to Support the Continued Use of IPv4 OECD FOREWORD This report was presented to the OECD Working Party on Communication, Infrastructures and Services Policy (CISP) in June 2013. The Committee for Information, Computer and Communications Policy (ICCP) approved this report in December 2013 and recommended that it be made available to the general public. It was prepared by Geoff Huston, Chief Scientist at the Asia Pacific Network Information Centre (APNIC). The report is published on the responsibility of the Secretary-General of the OECD. Note to Delegations: This document is also available on OLIS under reference code: DSTI/ICCP/CISP(2012)8/FINAL © OECD 2014 THE INTERNET IN TRANSITION: THE STATE OF THE TRANSITION TO IPV6 IN TODAY'S INTERNET AND MEASURES TO SUPPORT THE CONTINUED USE OF IPV4 TABLE OF CONTENTS FOREWORD ................................................................................................................................................... 2 THE INTERNET IN TRANSITION: THE STATE OF THE TRANSITION TO IPV6 IN TODAY'S INTERNET AND MEASURES TO SUPPORT THE CONTINUED USE OF IPV4 .......................... 4
    [Show full text]
  • Internet Society
    1 June 2016 National Telecommunications and Information Administration U.S. Department of Commerce 1401 Constitution Ave. NW, Room 4725 Attn: IOT RFC 2016 Washington, DC 20230 RE: RFC on the Internet of Things, Docket No. 160331306–6306–01 The Internet Society is pleased to submit our recent paper, “The Internet of Things: An Overview – Understanding the Issues and Challenges of a More Connected World”, in response to NTIA’s Request for Comments on the Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things (Docket No. 160331306–6306–01). The Internet Society is a global not-for-profit organization committed to the open development, evolution and use of the Internet for the benefit of all people throughout the world. Working in partnership with our global community, comprised of more than 80,000 members, 110 Chapters across the world and more than 140 organizational members, the Internet Society provides leadership and expertise on policy, technology and communications matters. (http://www.internetsociety.org) The Internet Society is also the organizational home of the Internet Engineering Task Force. One of its leadership bodies, the Internet Architecture Board, has independently submitted a response focusing on specific technical aspects of the RFC. The Internet of Things (IoT) is an emerging topic of technical, social, and economic significance. Consumer products, durable goods, cars and trucks, industrial and utility components, sensors, and other everyday objects are being combined with Internet connectivity and powerful data analytic capabilities that promise to transform the way we work, live and play. Projections for the impact of IoT on the Internet and economy are truly impressive, with some anticipating as much as 100 billion connected IoT devices and a global economic impact of more than $11 trillion by 2025.
    [Show full text]
  • Empirical Analysis of the Effects and the Mitigation of Ipv4 Address Exhaustion
    TECHNISCHE UNIVERSITÄT BERLIN FAKULTÄT FÜR ELEKTROTECHNIK UND INFORMATIK LEHRSTUHL FÜR INTELLIGENTE NETZE UND MANAGEMENT VERTEILTER SYSTEME Empirical Analysis of the Effects and the Mitigation of IPv4 Address Exhaustion vorgelegt von M.Sc. Philipp Richter geboren in Berlin von der Fakultät IV – Elektrotechnik und Informatik der Technischen Universität Berlin zur Erlangung des akademischen Grades DOKTOR DER NATURWISSENSCHAFTEN -DR. RER. NAT.- genehmigte Dissertation Promotionsausschuss: Vorsitzender: Prof. Dr.-Ing. Sebastian Möller, Technische Universität Berlin Gutachterin: Prof. Anja Feldmann, Ph.D., Technische Universität Berlin Gutachter: Prof. Vern Paxson, Ph.D., University of California, Berkeley Gutachter: Prof. Steve Uhlig, Ph.D., Queen Mary University of London Tag der wissenschaftlichen Aussprache: 2. August 2017 Berlin 2017 Abstract IP addresses are essential resources for communication over the Internet. In IP version 4, an address is represented by 32 bits in the IPv4 header; hence there is a finite pool of roughly 4B addresses available. The Internet now faces a fundamental resource scarcity problem: The exhaustion of the available IPv4 address space. In 2011, the Internet Assigned Numbers Authority (IANA) depleted its pool of available IPv4 addresses. IPv4 scarcity is now reality. In the subsequent years, IPv4 address scarcity has started to put substantial economic pressure on the networks that form the Internet. The pools of available IPv4 addresses are mostly depleted and today network operators have to find new ways to satisfy their ongoing demand for IPv4 addresses. Mitigating IPv4 scarcity is not optional, but mandatory: Networks facing address shortage have to take action in order to be able to accommodate additional subscribers and customers. Thus, if not confronted, IPv4 scarcity has the potential to hinder further growth of the Internet.
    [Show full text]
  • Policy Brief: Spectrum Approaches for Community Networks
    October 2017 Policy Brief Spectrum Approaches for Community Networks Policy Brief - Spectrum Approaches for Community Networks 2 Introduction The Internet Society’s goal is to make the Internet available for everyone, everywhere.1 The Internet currently reaches three (3) billion users, meaning that over half of the world’s population remains offline.2 This connectivity “gap” exists in urban, rural, and remote unserved and underserved areas of many countries, particularly developing and least-developed countries.3 Historically, this includes the challenge of extending connectivity infrastructure and affordable services to end-users (often times referred to as the problem of “the last mile”), and the challenge of attracting and enabling people to be online. Factors that contribute to these challenges are well understood: lack of affordable access to backbones, barriers to entry (licensing, taxes, spectrum allocation practices), low population density, high deployment costs, low economic capacities of some populations, limited availability of locally relevant content, and issues with technical skills.4 The connectivity “gap” needs to be closed. By closing this gap, economic and social benefits can be brought to communities across the globe.5 One way to help close the gap is through community-based connectivity projects6, particularly through community networks, network infrastructures built, managed, and used by local communities. To truly connect everyone, everywhere, community networks must be recognized as a viable way for the unconnected to connect their communities. This is a paradigm shift where the focus is on allowing communities to actively connect themselves. To achieve this paradigm shift, policy makers and regulators should recognize that connectivity can happen from the “village” or “community” out – where the last mile is essentially a “first-mile,” where citizens build their own networks.
    [Show full text]
  • Using PANA for Mobile Ipv6 Bootstrapping Julien Bournelle, Jean-Michel Combes, Maryline Laurent, Sondes Larafa
    Using PANA for mobile IPv6 bootstrapping Julien Bournelle, Jean-Michel Combes, Maryline Laurent, Sondes Larafa To cite this version: Julien Bournelle, Jean-Michel Combes, Maryline Laurent, Sondes Larafa. Using PANA for mobile IPv6 bootstrapping. NETWORKING 2007 : 6th international IFIP-TC6 networking conference on ad hoc and sensor networks, wireless networks, next generation Internet, May 2007, Atlanta, United States. pp.345 - 355, 10.1007/978-3-540-72606-7_30. hal-01328113 HAL Id: hal-01328113 https://hal.archives-ouvertes.fr/hal-01328113 Submitted on 7 Jun 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Using PANA for Mobile IPv6 Bootstrapping Julien Bournelle1, Jean-Michel Combes2, Maryline Laurent-Maknavicius1, Sondes Larafa1 1 GET/INT, 9 rue Charles Fourier, 91011 Evry, France 2 France Telecom R&D, 38/40 rue du General Leclerc, 92784 Issy-Les-Moulineaux, France Abstract One of the current challenge of the Mo- 2 Mobile IPv6 Overview bile IPv6 Working Group at the IETF is to dynami- As it stands in [1], an IPv6 Mobile Node (MN) is cally assign to a Mobile Node its Home Agent, Home uniquely identi¯ed by its Home Address (HoA), and Address and to setup necessary security associations.
    [Show full text]
  • Internet Way of Networking Use Case Interconnection and Routing
    Internet Way of Networking Use Case Interconnection and Routing September 2020 How regulatory policy on routing and interconnection, and reduced autonomy of operators impact the Internet Way of Networking In a number of countries, there is a trend towards regulatory control of how Internet operators manage network interconnection and routing. Interconnection and routing choices are critical decisions taken for local and operational reasons to ensure network resilience and optimal traffic flows. In this use case, we will look at different facets of this trend in three countries – China, Russia, and the United States – where decreasing autonomy of networks on interconnection and routing undermine two critical properties of the Internet Way of Networking: • An Open and Accessible Infrastructure with a Common Protocol • Decentralized Management and Distributed Routing The closer the Internet gets to operating in a way that matches these critical properties, the more open and agile it is for future innovation and the broader benefits of collaboration, resiliency, global reach, and economic growth. The further the Internet is from the Internet Way of Networking, the less it resembles the global Internet with all the benefits that would otherwise bring. Many critiques of China’s small number of network choke points, or Russia’s “Sovereign Internet” law, have drawn attention to their political, social, or economic impacts. In August 2020, the U.S. Administration’s proposed “Clean Network program” also raised concerns from the technical community about its misalignment with the program’s intended goals and how damaging it could be for the open architecture that underpins the Internet Way of Networking.
    [Show full text]
  • Spirent AION
    DATASHEET Spirent AION Spirent TestCenter Broadband Access Standard and Advanced Bundles, Carrier • Enhanced Realism—Spirent Ethernet Bundle TestCenter Access test solution Overview emulates real world broadband subscriber behaviors, Triple Play Spirent AION is a flexible delivery platform that enables users to achieve improved services, and failure scenarios deployment and provisioning for all their cloud and network testing needs. It is designed to deliver ultimate flexibility in how Spirent TestCenter platforms are • Improved Testing Capacity— purchased and utilized. accomplish more in less lab space The extended platform combines a wealth of industry-leading test solutions with a with the highest number of emulated flexible licensing architecture to support a wide range of next-generation solution- subscribers and user planes per port based domain applications. and port density AION offers a centralized management hub to help leverage software and hardware • Reduced Test Time—set up tests functionalities across all lab users and locations for a simplified management and quickly and easily to validate decision-making process: system performance in realistic, unstable environments rather than • Flexible purchasing options available via subscription, consumption-based, and perpetual plans, with the ability to license different bandwidth, scale, and protocol bundles. an environment optimized for pure performance • Flexible deployment options offered include cloud-delivery, on-prem, and laptop-hosted licensing services. • Detailed Analysis—Data
    [Show full text]
  • Freedom on the Net 2016
    FREEDOM ON THE NET 2016 China 2015 2016 Population: 1.371 billion Not Not Internet Freedom Status Internet Penetration 2015 (ITU): 50 percent Free Free Social Media/ICT Apps Blocked: Yes Obstacles to Access (0-25) 18 18 Political/Social Content Blocked: Yes Limits on Content (0-35) 30 30 Bloggers/ICT Users Arrested: Yes Violations of User Rights (0-40) 40 40 TOTAL* (0-100) 88 88 Press Freedom 2016 Status: Not Free * 0=most free, 100=least free Key Developments: June 2015 – May 2016 • A draft cybersecurity law could step up requirements for internet companies to store data in China, censor information, and shut down services for security reasons, under the aus- pices of the Cyberspace Administration of China (see Legal Environment). • An antiterrorism law passed in December 2015 requires technology companies to cooperate with authorities to decrypt data, and introduced content restrictions that could suppress legitimate speech (see Content Removal and Surveillance, Privacy, and Anonymity). • A criminal law amendment effective since November 2015 introduced penalties of up to seven years in prison for posting misinformation on social media (see Legal Environment). • Real-name registration requirements were tightened for internet users, with unregistered mobile phone accounts closed in September 2015, and app providers instructed to regis- ter and store user data in 2016 (see Surveillance, Privacy, and Anonymity). • Websites operated by the South China Morning Post, The Economist and Time magazine were among those newly blocked for reporting perceived as critical of President Xi Jin- ping (see Blocking and Filtering). www.freedomonthenet.org FREEDOM CHINA ON THE NET 2016 Introduction China was the world’s worst abuser of internet freedom in the 2016 Freedom on the Net survey for the second consecutive year.
    [Show full text]